A Non-default Port Is Not Security!

Post navigation

This month’s geek bitch-fest is about all these how-to guides out there that tell you to change various services to a non-default port. Unless it is necessary to avoid port conflicts (i.e. everything that tries to use port 80 and isn’t a web server) or to enable connectivity from public networks with strict firewall restrictions (i.e. a VPN tunnel that must run on port 80 for a user who frequently accesses your network from McDonald’s), it is seldom truly advantageous to do this. "But there are packet sniffers out there that will try to intercept data on standard ports like UDP 500." Yes, that is true. It may take an extra few seconds for such a malicious program/hacker to determine what port you have changed your VPN (or other service) to use. So you gained yourself a few seconds of safety at the cost of having to change the ports on both the server and client side. And every time your end users lose their configuration, you will have to explain the extra steps they must take to configure their software for your non-standard port. Bottom line is, if you are relying on using a different port to secure your network, you are in big trouble. Instead, consider using better encryption or other methods to repel attacks.

Changing ports as a means of security is like hiding behind a tree while an ogre is attacking. It may buy you a few seconds, but you are just as dead. It is far more effective to build a fortress surrounded by a moat with a drawbridge.